CMD Commands to Troubleshoot Active Directory and User Account Issues

NET USER

The net user command manages user accounts and displays account details.

Usage:

net user // Lists all local user accounts

net user /domain // Lists all domain user accounts

net user “username” // Displays details of a specific local account

net user “username” /domain // Displays details of a specific domain account

net user “username” /active:no // Disables a user account

net user “username” /active:yes // Enables a user account

net user “username” /domain * // Reset domain password (password not shown)

net user “username” /domain “Password” // Reset domain password (password shown)

Use case: Quickly check account status, enable/disable accounts, reset password or verify last logon.

NET ACCOUNTS

This command displays password and logon requirements for user accounts.

Usage:

net accounts

Use case: Verify account policies such as password expiration, minimum password length, and lockout settings.

DSQUERY USER

dsquery allows you to search Active Directory for user accounts.

Usage:

dsquery user -name “username”

dsquery user -samid “username”

Use case: Find user objects in AD by name, SAM account, or other attributes.

DSGET USER

Once you identify a user with dsquery, use dsget to retrieve detailed information.

Usage:

CN=John Doe → The username (Common Name)

OU=Users → The Organizational Unit where the account is stored

DC=domain,DC=com → The domain components (e.g., contoso.com → DC=contoso,DC=com)

Usage with dsquery + dsget (easier method):

dsget user "CN=”Username”,OU=”Users”,DC=”domain”,DC=”com”" -memberof -display

dsquery user -name “Username*” | dsget user -memberof -display

This first searches for the user Alice and then passes the result into dsget to show her group memberships and details.

Use case: View a user’s group memberships, display name, and other AD attributes.

NET GROUP / NET LOCALGROUP

These commands manage and troubleshoot group memberships.

Usage:

net group “groupname” /domain // View domain group members

net localgroup “groupname” // View local group members

Use case: Check if a user is part of the correct AD or local groups.

NLTEST

nltest helps test trust relationships and domain controller connections.

Usage:

nltest /dsgetdc: ”domainname”

nltest /dclist: ”domainname”

Use case: Verify if the computer can locate a domain controller and check DC availability.

WHOAMI

This command displays the currently logged-in user and group memberships.

Usage:

Use case: Confirm which user account is being used and its group membership.

NETDOM QUERY

The netdom command is useful for querying domain information.

Usage:

whoami

whoami /groups

whoami /user

netdom query dc // Lists domain controllers

netdom query fsmo // Lists FSMO role holders

netdom query trust // Lists domain trusts

Use case: Troubleshoot AD replication, domain controllers, and trust relationships.

REPADMIN

repadmin diagnoses replication problems between domain controllers.

Usage:

repadmin /replsummary

repadmin /showrepl

Use case: Identify replication issues causing authentication or user account errors.